Joe Security's Blog

Retefe loaded with new MUILanguage Sandbox Evasion

Published on: 27.11.2017

Lately, we came across a new Retefe version which uses some nice trick to bypass sandboxes (Retefe is a well know and sophisticated e-banking trojan). The initial analysis looks quite normal, there is no suspicious behavior, no dropped files, domains requests etc.

One interesting fact though is the WMI query:

If we extract the memory strings (strings taken from memory dumps) we detect a fully VBA script:

The interesting function performing the WMI query is called "CheckTest":

The function enumerates the MUI languages, which basically is a list of all installed languages for the Windows interface (MUI stands for Multiple User Interface). If only one language is installed, and this language is en-US then Retefe will not execute any payload.

Within 2 working days we added a new VM to Joe Sandbox Cloud which has several language packs installed: